Friday, December 28, 2007

Flashboot is a system built by Damien Miller and others as an adaptation of OpenBSD that's more suited for small flash-based hardware (like the like Soekris or Wrap machines). For most applications you don't have to compile it on you own, you just put the binary release on a flashcard and you're set (somewhat simplified).

Saturday, December 22, 2007

"It uses low-power, custom 64-bit MIPS-processor packages, which are basically entire computers on a single chip. 5832 processor cores and 8TB of RAM in one chassis, which draws less than 20 kilowatts of power."

"The SiCortex systems are completely open source, even down to the microcode."

Friday, December 21, 2007

A brief (over)look at ClamAV security and performance. Comparing Open Source Antivirus products with commercial products.

I've been looking into signature based open source security products lately, namely Antivirus software (for SMTP E-Mail gateways or File Servers or anything that would be used as a distribution point for example as well as for Desktop systems).

I've had a pretty good look at ClamAV and other ClamAV based products (ClamWin or Spyware Terminator which include the ClamAV Engine) and found them rather weak, both from a security point of view (vulnerabilities) and in terms of detection rates, as well as performance (speed) and usability (interface, features, etc).

Clam AntiVirus (ClamAV) is an open source (GPL) anti-virus toolkit for UNIX (also ported to Windows, and used by GUI products such as ClamWin) designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.

I. Security track record - a look at common vulnerabilities

So let's take a look at ClamAV's security track record. A simple look on Secunia at the vulnerability summary reveals a stunning 25 security advisories (1 unpattched), 31 % of which lead to System Access and 91 % are exploitable from remote. 40 % of vulnerabilities are "Highly Critical". I realize that some of these are in 3rd party plugins and compression tools and such, but when an attacker just sends a specially crafted archive via E-mail or whatever means, and manages to buffer overflow and gain system access when ClamAV scans it, that's when you need to look at other products. There are ways to mitigate it, with permissions, limited users, chroots, jails and such, but still...

So let's compare that with another security product, Avira Antivir, basically multi-platform Antivirus software (also has a free version for non-commercial usage). We can see only 2 security vulnerabilities reported, both local and privilege escalation (Windows only too).

Vulnerabilities range from Denial of Service: "A NULL-pointer dereference error exists within the "cli_scanrtf()" function in libclamav/rtf.c. This can potentially be exploited to crash ClamAV via a specially crafted RTF file." to Buffer Overflow and System Access: "An integer overflow error in rebuildpe.c when rebuilding PE files after unpacking can be exploited to cause a heap-based buffer overflow via a specially crafted executable. Successful exploitation of this vulnerability may allow execution of arbitrary code."

II. Vulnerability assessment tools - Static Code Analsys

What about a source code audit of ClamAV? Well, I don't really have the time for that, but I did parse it through Flawfinder, RATS and other Static Code Analysis tools looking for simple lexical "bad practices" and functions (strings functions for example) that may overflow buffers and so on.

So, I download the source code for the latest stable release: ClamAV 0.91.2 (signature) and stumble across a ton of bad programming practices. While most of the time, they mean nothing (as they aren't really vulnerabilities or even exploitable, they are usually where most errors occur, and, as such, should be avoided). We basically have hundreds of such occurrences (537 marked as High and 83 marked as Medium by RATS), so I'm just going to paste a few interesting examples here:

..\clamav-0.91.2/clamav-milter/clamav-milter.c:266: High: fixed size local bufferExtra care should be taken to ensure that character arrays that are allocated on the stack are used safely. They are prime targets for buffer overflow attacks.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:859: High: getopt_longTruncate all input strings to a reasonable length before passing them to this function

..\clamav-0.91.2/shared/getopt.c:961: High: fprintfCheck to be sure that the non-constant format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle.

..\clamav-0.91.2/sigtool/vba.c:1127: High: sprintfCheck to be sure that the format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Additionally, the format string could contain `%s' without precision that could result in a buffer overflow.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:1205: High: popenArgument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:1404: High: getenvEnvironment variables are highly untrustable input. They may be of any length, and contain any data. Do not make any assumptions regarding content or length. If at all possible avoid using them, and if it is necessary, sanitize them and truncate them to a reasonable length.

..\clamav-0.91.2/shared/output.c:159: High: umaskumask() can easily be used to create files with unsafe priviledges. It should be set to restrictive values.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:1585: High: gethostbynameDNS results can easily be forged by an attacker (or arbitrarily set to large values, etc), and should not be trusted.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:1703: High: strcpyCheck to be sure that argument 2 passed to this function call will not copy more data than can be handled, resulting in a buffer overflow.

..\clamav-0.91.2/shared/misc.c:132: High: printfCheck to be sure that the non-constant format string passed as argument 1 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle.

..\clamav-0.91.2/shared/output.c:235: High: syslogTruncate all input strings to a reasonable length before passing them to this function

..\clamav-0.91.2/freshclam/manager.c:1307: High: systemArgument 1 to this function call should be checked to ensure that it does not come from an untrusted source without first verifying that it contains nothing dangerous.

..\clamav-0.91.2/sigtool/sigtool.c:815: High: strcatCheck to be sure that argument 2 passed to this function call will not copy more data than can be handled, resulting in a buffer overflow.

..\clamav-0.91.2/libclamav/hashtab.c:408: High: sscanfCheck to be sure that the format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Additionally, the format string could contain `%s' without precision that could result in a buffer overflow.

..\clamav-0.91.2/shared/options.c:194: High: strncatCheck to be sure that argument 1 passed to this function call will not copy more data than can be handled, resulting in a buffer overflow.

..\clamav-0.91.2/shared/getopt.c:983: High: getoptTruncate all input strings to a reasonable length before passing them to this function

..\clamav-0.91.2/shared/output.c:212: High: vfprintfCheck to be sure that the non-constant format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle.

..\clamav-0.91.2/sigtool/sigtool.c:609: High: scanfCheck to be sure that the format string passed as argument 2 to this function call does not come from an untrusted source that could have added formatting characters that the code is not prepared to handle. Additionally, the format string could contain `%s' without precision that could result in a buffer overflow.

..\clamav-0.91.2/test/pe/debugpe.c:165: Medium: signalWhen setting signal handlers, do not use the same function to handle multiple signals. There exists the possibility a race condition will result if 2 or more different signals are sent to the process at nearly the same time. Also, when writing signal handlers, it is best to do as little as possible in them. The best strategy is to use the signal handler to set a flag, that another part of the program tests and performs the appropriate action(s) when it is set.See also: http://razor.bindview.com/publish/papers/signals.txt

..\clamav-0.91.2/libclamav/mbox.c:4659: Medium: getcCheck buffer boundaries if calling this function in a loop and make sure you are not in danger of writing past the allocated space.

..\clamav-0.91.2/sigtool/sigtool.c:172: Medium: readCheck buffer boundaries if calling this function in a loop and make sure you are not in danger of writing past the allocated space.

..\clamav-0.91.2/clamav-milter/clamav-milter.c:4260: Medium: statA potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists. This is the first line where a check has occured. The following line(s) contain uses that may match up with this check: 4269 (open)

..\clamav-0.91.2/sigtool/vba.c:1063: Medium: reallocDon't use on memory intended to be secure, because the old structure will not be zeroed out.

..\clamav-0.91.2/libclamav/lockdb.c:246: Medium: SetSecurityDescriptorDaclIf the third argument, pDacl, is NULL there is no protection from attack. As an example, an attacker could set a Deny All to Everyone ACE on such an object.

..\clamav-0.91.2/libclamav/msexpand.c:130: Medium: fgetcCheck buffer boundaries if calling this function in a loop and make sure you are not in danger of writing past the allocated space.

..\clamav-0.91.2/libclamav/others.c:433: Medium: srandStandard random number generators should not be used to generate randomness used for security reasons. For security sensitive randomness a crytographic randomness generator that provides sufficient entropy should be used.

..\clamav-0.91.2/libclamav/others.c:697: Medium: lstatA potential TOCTOU (Time Of Check, Time Of Use) vulnerability exists. This isthe first line where a check has occured.The following line(s) contain uses that may match up with this check:699 (rmdir), 715 (unlink)

..\clamav-0.91.2/contrib/Windows/Projects/clamAV/libclamav/regex.c:70: Medium: reallocDon't use on memory intended to be secure, because the old structure will not be zeroed out.

You should keep in mind that ClamAV also relies on 3rd party libraries and tools, and it's security also depends on those. Again, I remind you that these aren't actual vulnerabilities, just bad practices that MAY lead to such vulnerabilities. You would need to look at the code and employ various testing tools to find them.

The authors of ClamAV should really solve these problems like OpenBSD developers do, even if it is something as simple as replacing strncat() with strlcat() - functions designed to be safer, more consistent, and less error-prone (this would be an issue on other platforms though, so it's not as simple as that).

III. Detection ratesSo, here are some tests made by various research projects:

AV-Test is an anti-virus research project at the Institute of Technical and Business Information Systems at the Otto-von-Guericke University Magdeburg (Germany).

They measured the detection times for six of the malware programs released last week utilizing the MS05-039 Plug and Play vulnerability under 36 different anti-virus products. Eleven of the products were able to detect one or more of the attacks proactively, without any special pattern update to identify it specifically. Here are the numbers for each of the eleven:

Product ScoreBitDefender 6 of 6Fortinet 6 of 6Nod32 5 of 6eSafe 3 of 6F-Prot 3 of 6Panda 3 of 6QuickHeal 3 of 6McAfee 2 of 6Norman 2 of 6AntiVir 1 of 6ClamAV 1 of 6

Number of descriptions in the database: 31928 out of 45159 live samples ( 70.7 %)Number of 'in the wild' descriptions in the database: 25 out of 30 live samples ( 83.3 %)(not very good, but not all that bad)

I definitely need to investigate this further, but so far I find ClamAV to be highly overrated, simply based on the fact it is "part of the open source movement". It lacks a real time scanner (that's fair seeing how it was designed for mail gateways though), it has a horrible security track record, poor detection rates and dreadful performance. I somewhat doubt that it would last long as a commercial product. Still, it is available on multiple platforms, and the cost is just about right :-).

Things aren't all bad though (and I may have been to rash and only brushed the surface here). ClamAV is a free product (open source even), and it does leave a lot of room an opportunity to evolve. I just don't see this happening without powerful commercial backing. If you plan on using it though, make sure you've got at least another product scanning your emails :-).

Virtual Reality, Cheap! Johnny is back with more Wii hacks. This time, he uses the Wii infrared camera (Wii Remote) to perform head tracking (using 2 Infrared LEDs or the Nintendo Sensor Bar). Basically, this allows him to use the data for positioning the viewer's head in space (by solving the triangle) and move the displayed data around to emulate a 3D display.

He makes the source code to his applications fully available, so if you feel like using a 3D display, an air keyboard or a virtual chalkboard, check his projects:

Monday, December 17, 2007

I have been using GNOME for over 7 years now, and feel that with every release it gets more unstable, buggy and bloated. Good features get removed or reimplemented in some horribly broken form. Or they just mess around with sane default settings (see Always Open in Browser windows to Windows 95 style open a new window for each browser). Sometimes they hide the icons, the trash can, the delay settings... and they so love to complicate the configuration files. But now....

- "Open terminal" is frustrating (and scary) for users not knowing what to do with a terminal, the vast majority of GNOME users nowadays. If anybody needs to open a terminal there is an easy way to do so through Applications. If really needed, the user could activate this preference from Preferences.

Yes people, that is why the right click - open terminal shortcut was REMOVED from Gnome 2.14 and later. It's a BUG since it SCARES away users. Boooo.. and now you need to install a "plugin" like nautilus-open-terminal. WTF. Yes, all users must be retarded, let's remove a useful feature...

"This 'users are idiots, and are confused by functionality' mentality of Gnome is a disease. If you think your users are idiots, only idiots will use it. I don't use Gnome, because in striving to be simple, it has long since reached the point where it simply doesn't do what I need it to do."

Where Gnome aims to be in 5 years:

// Sorry for the rant, but I just had to get his off my chest... I miss Sawfish :-(.

The Direct Rendering Infrastructure(a.k.a.DRI) is a framework for allowing direct access to graphics hardware under the X Window System in a safe and efficient manner. It includes changes to the X server, to several client libraries, and to the kernel. The first major use for the DRI is to create fast OpenGL implementations.

This project is targeted to port open-sourced DRI framework to Solaris, and provide 3D acceleration for Solaris x86. Meanwhile we would work with hardware vendors to enhance the 3D performance.

FileVault is an encryption system found in Apple's Mac OS X v10.3 and later. It has quite a history of being vulnerable to watermarking attacks, not encrypting the swap file by default (although that option has been added later) so that the keys could be carved out of the page file, etc...

"Patch Check Advanced (pca) generates lists of installed and missing patches for Sun Solaris systems and optionally downloads patches. It resolves dependencies between patches and installs them in correct order. It can be the only tool you ever need for patch management on a single machine or a complete network. Just one perl script, it doesn't need compilation nor installation, and it doesn't need root permissions to run. It works on all versions of Solaris, both SPARC and x86."

Saturday, December 15, 2007

Windows Server 2008 RC1 Enterprise is now available with a beta version of Windows Server Hyper-V, a key feature of Windows Server 2008 that will be included in Standard, Enterprise, and Datacenter x64 editions.

An earlier Customer Technology Preview (CTP) of Hyper-V, is also available for download with Windows Server 2008 RC1 Standard, Enterprise, and Datacenter x64 editions.

This version of Hyper-V includes high availability and quick migration features, and is installable under the reduced (no GUIs version) "Core Server" version of Windows Server 2008. It also supports Windows and Linux guests, and snapshots.

Tarantella is a competitor to Terminal Services from Microsoft and Citrix software, but it's much more interesting (It's got Windows and Citrix connectors, Thin Client stuff, etc). It's basically like GNU Screen (you can resume sessions and easily migrate between machines), but for X and via your web browser :-).

The security start requires a valid security license and a SSL certificate (you can create a self signed certificate using OpenSSL then import with SSGD).

To add license keys, type:

/opt/tarantella/bin/tarantella license add

Once SSGD is installed and started, just navigate any Java enabled browser to http://yoursite.yourdomain:selectedport and you're good to go :-). Use "Administrator" and the root password to login. (Use regular system accounts for non-administrative purposes. Oh, and secure SSGD by using Zones).

Wednesday, December 12, 2007

Undelete Plus works under Win 95/98/Me/NT/2000/XP/2003/Vista operating systems. The program supports all Windows file systems for hard and floppy drives including FAT12/16/32,NTFS/NTFS5 and image recovery from CompactFlash, SmartMedia, MultiMedia and Secure Digital cards.

Recuva (pronounced "recover") is a freeware Windows utility to restore files that have been accidentally deleted from your computer.

R-LINUX is a free file recovery utility for the Ext2FS partitions used in the Linux OS and several Unix. Host OS: Win9x/ME/NT/2000/XP/2003. Recovered data can be written to any disk visible by the host OS. R-Linux also can create DISK IMAGES that can be later processed by more powerful R-Studio. more about Data Recovery for Linux

Fresh updates for Windows, including Office 2007 SP1 and some vital security updates including some IE vulnerability fixes. Better start those WSUS deployments for distributed update servers if you don't have one already :-).

Tuesday, December 11, 2007

I already told you about SIMH, the VAX emulator, now it's time to look at a working Alpha emulator (there is another one I know of that works, but it's rather expensive and intended for development purposes). This means you can run OpenVMS or Tru64 UNIX right at home, on your PC :-).

PersonalAlpha is a Alpha emulator that can run OpenVMS or Tru64 right on your i386 desktop machine.

Monday, December 10, 2007

Xenix was Microsoft's version of UNIX, licensed from AT&T back in the late 70s, then later acquired by the Santa Cruz Operation (SCO) and distributed as SCO UNIX. Microsoft did not sell Xenix directly to end-users, but instead licensed it to OEMs.

Xenix was originally based AT&T UNIX System III, but also incorporated elements from BSD. Version 2.0 was based on UNIX System V, and later ported to 32bit / i386, and also introduced TCP/IP and SCSI support.

Trusted Information systems also developed a Trusted Xenix variant, using the Bell-LaPadula model of multilevel security and achieved a NSA B2 rating (TCSEC) - the second highest rating ever achieved by an evaluated operating system.

Overall, it was a pretty complete UNIX system (later versions got as large as 96 5.25" floppy disks) and came with The X Window System, ed, vi, sh, csh, vsh, uucp, terminfo, mapchan and so on.

Good news is, you can run it yourself. There's at least 3 ways to run Xenix:

"Using an LED array and some reflective tape, you can use the infrared camera in the Wii remote to track objects, like your fingers, in 2D space."

"Since the Wiimote can track sources of infrared (IR) light, you can track pens that have an IR led in the tip. By pointing a wiimote at a projection screen or LCD display, you can create very low-cost interactive whiteboards or tablet displays. Since the Wiimote can track upto 4 points, multiple pens can be used."http://www.cs.cmu.edu/~johnny/projects/wii/

Sunday, December 09, 2007

Accidentally rewritten your MBR (or even the partition table) and can't find your old Win9x friend, "fdisk /mbr"? Well, here's a couple of ways on how to fix it:

Fixmbr.exe - Repairs the master boot record of the boot disk. The fixmbr command is only available when you are using the Recovery Console. Example: "fixmbr \Device\HardDisk0"

Bootrec.exe tool in the Windows Recovery Environment to troubleshoot and repair startup issues in Windows Vista. The /FixMbr option writes a Windows Vista-compatible MBR to the system partition. This option does not overwrite the existing partition table. Use this option when you must resolve MBR corruption issues, or when you have to remove non-standard code from the MBR.

TestDisk is a powerful free data recovery softwar designed to help recover lost partitions and/or make non-booting disks bootable again.

GAG is an open source graphical boot manager which supports multiple operating systems. The floppy or CD can be used to boot Windows (or any other OS), then use recover tools to recover the MBR.

The MBR resides within the first 446 (0x1BE) bytes , the next 64 bytes are the Partition Table, and the last two bytes in the sector are a signature word for the sector and are always 0x55AA.This means that you can use the "dd" tool to backup, restore or modify your MBR "by hand". Example:

dd if=/dev/YOURDISKHERE of=mymbr bs=446 count=1

Will perform a backup copy that can be later restored using dd :-).

What about Linux or other operating systems? Well, you're probably using GRUB or LiLO, so you can simply boot your partition using (any) LiveCD (or GAG) and restore them. As simple as boot, fsck, mount, chroot, grub - you're set. You can also try using SuperGrubBootDisk.

SIMH is a highly portable, multi-system simulator maintained by Bob Supnik, former DEC engineer and vice president. SIMH runs on pretty much anything: UNIX, BSD, Linux, Windows and even OpenVMS. If you're into historic computing, simulation of historic hardware or trying to migrate some really ancient applications, look into SIMH.

SIMH can also be used to migrate old machines to new platforms. For example, you can run VMS/VAX using SIMH on a modern UNIX system (Vienna's city administration still runs some VMS / VAX systems, and has started migrating them via emulation).

Saturday, December 08, 2007

Ever wanted to know what they teach at MIT? Well, here's your chance :-). Grab the courses and seminars, and find out!

MIT OpenCourseWare is an online repository of undergraduate and graduate-level courses from the Massachusetts Institute of Technology (MIT) available free and open to anyone, anywhere! There's about 1800 courses to go through, from Japanese Language courses to Computer Science videos and seminars :-).

Thursday, December 06, 2007

The Metasploit Project is an open source computer security project aids penetration testing activities and IDS signature development and provides information on security vulnerabilities.

Components:

The Metasploit Framework is a development platform for creating security tools and exploits. The framework is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language (rewritten from Perl) and includes components written in C and ASM. The Metasploit Framework consists of tools, libraries, modules, and user interfaces. The basic function of the framework is a module launcher, allowing the user to configure an exploit module and launch it at a target system. If the exploit succeeds, the payload is executed on the target and the user is provided with a shell to interact with the payload.

The Opcode Database contains the position of certain machine language opcodes in the attacked program or included DLLs

MSF-eXploit Builder

MSF-eXploit Builder (MSF-XB) is free Windows GUI and Exploit Development PlatformMetasploit Framework exploit modules. It will help you to edit/modify/create/test exploit modules for the Metasploit Framework. It also contains an assortment of Fuzzers (TAOF, ProxyFuzz, FileFuzz, WinFuzz) and various other tools (Branchseeker, Faultmon, mycrc, nc, Findjmp2 and even pstools). It requires an installed Metasploit framework and a debugger (try Immunity Debugger).

SecurityForest Exploitation Framework:

SecurityForest's Exploitation Framework is similar in concept to Metasploit, and is written in Perl. The major difference is that it leverages the massive amount of exploits available in the ExploitTree. These exploits are publically available and do not have to be re-written to be used in the framework (no matter what language and sometimes no matter what OS). It basically acts as a Graphical User Interface to the ExploitTree which is dynamically updated at the same time as the ExploitTree.

E-mail exploitation frameworks:

PIRANA is an exploitation framework that tests the security of a E-mail content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform. PIRANA's goal is to test whether or not any vulnerability exists on the content filtering platform. This tool uses the shellcode generator from the Metasploit framework!

Browser Exploitation Framework:

BeEF is the browser exploitation framework used to demonstrate the real-time impact of XSS browser vulnerabilities. Download here.

Nikto is an Open Source web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Network Vulnerability Scanners

Nessus is a comprehensive vulnerability scanning program. Its goal is to detect potential or confirmed weaknesses on the tested machines.

Immunity Debugger is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility. It is similar to OllyDbg in functionality and interface.

Immunity Debugger is said to cut exploit development times in half and has a powerful scripting language and connectivity to fuzzers and exploit development tools.

More OpenSource from Microsoft: CodePlex is an Open Source Community Project Hosting website from Microsoft that is very much like SourceForge. So far, it has around 2500 projects. It's also got that whole Web 2.0, RSS and tag thing going on too :-).

We have seen significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, in office software, in media players and in other desktop applications. These vulnerabilities are being discovered on multiple operating systems and are being massively exploited in the wild, often to drive recruitment for botnets.

The report does not cover a vulnerability Window of Exposure, or a statistic of exploits "in the wild" but it's still interesting. In a previous Internet Security Threat Report, IE had an average Window of Exposure of 9 days, followed by Safari with 5, Opera with 2 and Mozilla with 1, according to a Symantec Internet Threat Security Report.

Friday, November 30, 2007

Here are a few quick steps for performing malware analysis on various badware (viruses, works, trojans, rootkits) that you may find in the course of a computer forensics investigation. In this case, I'm analyzing a variant of Sohanad, a Instant Messaging Worm, also known as "the cool pics worm".

We're going to setup VirtualBox (or any other virtualization product) with a copy of Windows XP SP2, update it and take a snapshot so we can easily move back to a clean system.

Use VirtualBox to install WindowsXP SP2 in a Virtual Machine.

Take a snapshot of the Virtual Machine - Initial Install.

Install VirtualBox Guest Additions

Install Microsoft Update and update the system.

Create an ISO image of your tools, and mount it inside the Virtual Machine.

Take another snapshot of the Virtual machine - Updated and configured.

Add your tools to PATH to speed things UP.

Analyze the malware:

Use Process Explorer, Sysinternals Autoruns, RootKitRevealer, HiJackThis and so on to find running processes and targets for analysis, then put them in the virtual machine "sandbox". Also, make sure you check the Digital Signature for files you may suspect of being malware (Right Click - Properties - Digital Signatures). A good way of revealing malware is looking for suspicious entries in Sysinternals Autoruns (just hide signed Microsoft Entries, then look for Unsigned or Fake signature entries). Remember though, malware can also be digitally self-signed.

The Target: "New Folder.exe" - self described as "Worm2007" by "IT University".

Start Sysinternals ProcExp (Process Explorer - taskman on steroids), ProcMon (filemon and regmon combined), handle (check file handles) and TCPView and Wireshark (aka Ethereal) or MS Network Monitor, and run the piece of malware! We're going to see exactly what files and registry items it tries to change, what network connections it opens and what kind of network traffic it generates. We can also use "netstat -abn" to list network connections. We can later just restore the VirtualBox snapshot to get back to an untainted system.

We restart the machine to allow the malware to apply it's group policies and registry changes / autoruns properly :-). We can see the effect of the applied group policies (disables regedit and taskman, but forgets about gpedit.msc and tasklist for example).

We use Sysinternals Autoruns, RootKit Revealer and HiJack this to see how this piece of malware starts. With Sysinternals Autoruns we simply hide signed microsoft entries, and we can see 3rd party products, such as our piece of badware, hiding in lsass or svchost or ymessenger named entries.

We use HiJack This to list changes to our system like disabling regedit, starting a really strange "svchost32.exe" that shouldn't be there and making the IE default webpage "thec**lpics.com" -> don't access it, it's the Malware's homepage…

To remove the malware, you just need to reverse all the chances it has performed to the registry and filesystem. Once you've written down the location of the files from ProcMon and the running binaries from ProcExp, you can start by stopping the virus:

You can stop the Virus processes easily with Process Explorer, or you could just use "taskkill":

taskkill /F /IM svchost32.exe /T

You could also disable it from running at startup by removing it using Sysinternals Autoruns.

Once you've identified all the processes and what executables they were running from, just use WinDiff, EasyDuplicateFinder or something similar to find all identical binaries, and remove them.

You can the use "Fixed Checked" in HiJack this, and "reg add" or "reg delete", a .reg file or gpedit.msc to manually enable the Registry Editor or other disabled features in Windows. You could also use an offline Registry Editor. Example:

To restore the missing files the malware removed (like msconfig.exe) just pop in the Windows cd, and use "expand" to uncompress and restore them: EXPAND -R D:\I386\MSCONFIG.EX_ c:\Windows\System32. Windows may also keep some copies of msconfig.exe around, but they may or may not be safe. Check the digital signature.